How is CVE-2026-12327 exploited?

Network reachability (required): The attacker must reach the affected Firefox or Thunderbird instance over the network; no physical or local access is needed (AV:N). Authentication (not-required): No login or account credentials are needed to trigger the vulnerability (PR:N). Victim interaction (not-required): The attacker does not need the user to click a link or take any action to initiate exploitation (UI:N). Attack complexity (info): Exploitation is reliable and condition-free; no race conditions or special environmental factors need to be arranged (AC:L).

What is the impact of CVE-2026-12327?

A successful attacker reads a limited subset of in-process data, which may include browsing session content or in-memory application data (C:L). The attacker modifies a limited subset of in-process data or rendered content, enabling partial content tampering (I:L). Memory corruption can destabilize the browser or mail client process, causing crashes and service interruption (A:L). Where memory corruption is leveraged to its fullest extent, the attacker runs arbitrary code within the browser or Thunderbird process context.

Back to search

HIGHCVE-2026-12327Published 2026-06-16Modified 2026-06-16CNA mozilla

CVE-2026-12327: Memory safety bugs fixed in Firefox ESR 140.12, Thunderbird ESR 140.12, Firefox 152 and Thunderbird 152

Memory safety bugs present in Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

CVSS v3.1: 7.3
Severity: HIGH
Fixed in: 140.12
Affected Products: 2

HarborGuard Analysis

Synopsis

Memory safety bugs affecting Mozilla Firefox and Thunderbird allow a remote, unauthenticated attacker to trigger memory corruption via the network. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates the service is reachable over the network with no login or user action required, and successful exploitation enables limited data disclosure, content tampering, and potential arbitrary code execution. Patched-image rebuilds at Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird ESR 140.12 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection of CVE-2026-12327 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream Mozilla and NVD feeds, including custom-built images that bundle Firefox or Thunderbird. Matching runs against both registry snapshots and images scanned at CI/CD pipeline build time.

Available

Triage

HarborGuard scores this CVE at 7.3 HIGH using the published CVSS v3.1 vector and weights it against each environment's active compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at Firefox 152 or Firefox ESR 140.12 (and the equivalent Thunderbird versions) becomes available on HarborGuard the moment affected images are identified against these fix versions. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the affected Firefox or Thunderbird instance over the network; no physical or local access is needed (AV:N).
AuthenticationNot required
No login or account credentials are needed to trigger the vulnerability (PR:N).
Victim interactionNot required
The attacker does not need the user to click a link or take any action to initiate exploitation (UI:N).
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions or special environmental factors need to be arranged (AC:L).

Blast Radius

A successful attacker reads a limited subset of in-process data, which may include browsing session content or in-memory application data (C:L).
The attacker modifies a limited subset of in-process data or rendered content, enabling partial content tampering (I:L).
Memory corruption can destabilize the browser or mail client process, causing crashes and service interruption (A:L).
Where memory corruption is leveraged to its fullest extent, the attacker runs arbitrary code within the browser or Thunderbird process context.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-12327 is active across all scanning environments, matched against images containing affected Firefox or Thunderbird versions within minutes of CVE publication. Where compliance policy permits, HarborGuard can trigger a patched-image rebuild pinned to Firefox 152, Firefox ESR 140.12, Thunderbird 152, or Thunderbird ESR 140.12. For customers who opt into auto-remediation, the full flow includes the rebuild, an automated regression run, and a PR opened against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Customers who manage remediation manually will find the affected image list and fix-version recommendations surfaced in the HarborGuard findings dashboard for prioritized review.

See how HarborGuard automates this

Fix available

140.12152

Affected packages

Mozilla / Firefox
Fixed in 140.12, 152
Mozilla / Thunderbird
Fixed in 140.12, 152

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available